A Word from the Ghost of Holiday Future: SEC Active in Cybersecurity and AI Actions

The SEC was increasingly active in fiscal year (FY) 2024 in pursuing enforcement actions involving cybersecurity incidents and artificial intelligence (AI) (query how long society will continue to define AI; harkens to the time when our parents continued to insist on spelling out each "w" in front of a website's domain). In this seventh installment of Season's Readings, we look back at this year's developments involving cybersecurity and AI and point a futuristic finger silently into 2025 and beyond.

Cybersecurity Enforcement Has a Moment – Just Not the One the SEC Was Hoping For

As announced in its FY 2024 results, the SEC's Division of Enforcement was busy this year policing issuers' disclosures of cybersecurity incidents.

This heightened enforcement activity came on the heels of the SEC's enactment of new rules regarding cybersecurity and related disclosures at the end of FY 2023. The rules require issuers to disclose in their annual reports several detailed cyber-related metrics and any cybersecurity incident determined to be "material" via a Form 8-K, among other things. Following a slew of early Forms 8-K on which issuers proactively disclosed an array of cybersecurity incidents that were either not material or wherein materiality had not yet been determined, the SEC's then-director of the Division of Corporation Finance clapped back at what he considered "confusing" interpretation and application of the new requirements, as we covered previously.

But perhaps the SEC's biggest cyber-related moment of 2024 involved a loss in its closely watched case against SolarWinds and its chief information security officer (CISO), Timothy Brown (see our previous posts here, here, here and here). In July 2024, Judge Paul Engelmayer in the U.S. District Court for the Southern District of New York granted and denied in part the defendants' motion to dismiss the SEC's complaint, roundly rejecting the SEC's efforts to expand the Securities Exchange Act's "internal accounting controls" provision to encompass an issuer's cybersecurity controls and finding that innocent errors are "an inadequate basis" on which to plead deficient disclosure controls, as are material misrepresentation claims that rely solely on hindsight or speculation. The court dismissed the internal accounting controls and disclosure controls claims against SolarWinds and the related aiding and abetting claims against Brown. The SEC's only claims to survive dismissal are against SolarWinds and Brown and involved a narrow and specific misrepresentation the defendants allegedly made about the company's cybersecurity practices and risks.

Beyond Solar Winds, Enforcement brought a steady number of settled actions, including against 1) a stock exchange and nine of its subsidiaries in May 2024 for failure to timely alert the SEC to a cyber intrusion, 2) a public company in June 2024 for disclosure and internal control failures relating to cybersecurity incidents (see our earlier post) and 3) a transfer agent in August 2024 for failure to secure client securities and funds against theft or misuse.

And notwithstanding its loss in SolarWinds, the SEC continued its focused pursuit of what it considered deficient cybersecurity incident disclosures into FY 2025 (which commenced Oct. 1, 2024). As we discussed previously, on Oct. 22, 2024, the SEC announced four settled enforcement actions against victims of cybersecurity attacks attributed to compromised Orion software sold by SolarWinds and at issue in the SEC's case against it. The SEC alleged that the four companies' disclosures concerning these incidents or cyber risk factors "negligently minimized" the impact of the incidents on their business. These settlements triggered a blistering dissent from two of the five SEC commissioners, who accused the SEC of "Monday morning quarterback[ing]" and engaging in "hindsight review to second-guess the disclosure." Now, with the departures of Director of Enforcement Gurbir Grewal, Commissioner Jaime Lizárraga and SEC Chair Gary Gensler, time will tell the impact new commissioners and anticipated incoming Chair Paul Atkins will have on Enforcement activity involving cybersecurity incidents.

AI-Washing Enforcement Activity Keeps Apace in 2024

In FY 2024, the SEC remained vigilant in another emerging area, so-called "AI washing," in which a company allegedly makes false or misleading statements about its use of AI. Enforcement settled multiple AI-washing actions in FY 2024, including a March 18, 2024, settlement with two investment advisers for allegedly making false and misleading statements about their use of AI in the investment process, including that the adviser was the "first regulated AI financial advisor." Enforcement also brought charges on Aug. 27, 2024, in the U.S. District Court for the District of South Dakota against a foreign investment adviser and its CEO for allegedly falsely asserting that its AI technology could generate above-market returns while protecting "100%" of client funds.

Enforcement continued aggressively targeting AI-related disclosures in FY 2025 by announcing a settlement on Oct. 10, 2024, with an investment adviser for allegedly making false and misleading statements about its use of AI. To date, however, the SEC's enforcement of AI issues has been limited to misrepresentations about its role or utility in the business, rather than more nuanced and complex issues posed by the use of AI in the securities markets. Whether a new administration will focus on increasing staff expertise to understand and enforce the law with regard to, for instance, risks and opportunities involved in the use of AI in broker-dealer and investment advisory services remains to be seen.

As winter continues its erratic descent over the country (this morning we needed a parka, this afternoon we're in shorts), future ghosts rattle their chains and portend that the SEC will continue to focus on enforcement of alleged disclosure deficiencies involving cybersecurity incidents and claims of AI expertise or use of AI tools. All are advised to take heed of these Enforcement examples to avoid a similar fate.